Password reset feature can be used to change the password of any user if email is known
Anyone can reset a user's password if you know the email of the user, there should be a email reset link send and the password should not be changed immediately.
This feature can be used for an attack is a script is made changing the user's password every few seconds, disabling the user to log in at all.